[whatwg] Dealing with UI redress vulnerabilities inherent to the current web from Hallvord R M Steen on 2008-09-29 (public-whatwg-archive@w3.org from September 2008)

From: Hallvord R M Steen <hallvors@gmail.com>
Date: Mon, 29 Sep 2008 10:54:54 +0200
Message-ID: <dd4c8a40809290154q530b4667x29ab2c8946370c2e@mail.gmail.com>

2008/9/25 Toby A Inkster <mail at tobyinkster.co.uk>:
>> 3) Add an on-by-default mechanism that prevents UI actions to be taken
>>    when a document tries to obstruct portions of a non-same-origin frame.
>
> Something like focus-follows-mouse plus autoraise for IFRAMEs might work.

Not likely. The entire point of an IFRAME is to blend in seamlessly
with the rest of the parent site's content. I think it is just about
impossible to come up with a UI that will violate this "meshability"
of the IFRAME in a non-intrusive way AND signal clearly to Mr. Newbie
User that this part of the page comes from another site than the rest
and should be given a different level of "trust".

Plainly: I believe there are no acceptable UI solutions to this problem.

What follows is my personal opinion which I've also explained on
internal Opera mailing lists (I've seen some people agree but I want
to make it clear that I'm not expressing any developer consensus or
expressing "Opera's point of view" just yet).

To give webmasters more ways to deal with this situation, I think we
should implement the Access Control "Origin" HTTP-header only
(assuming that it should refer to the top site in the frameset
hierarchy).

Reasoning:

Sites may want to use any of several policies in a "somebody framed
me" situation. For example, these are all policies a site may want to
deploy:

1. nobody may frame my content
2. selected sites only may frame my content
3. anyone may frame my content but not re-use an existing session
4. anyone may frame my content

Giving the site an "Origin: http://www.example.com" HTTP header in the
intial request lets the backend implement any of these policies.
Instead of responding with a payload that always includes some variant
of the proposed "X-I-Do-Not-Want-To-Be-Framed-Across-Domains: yes"
header, the site can send or redirect to a framebreaking "embedding
forbidden" page for policy #1. It can do so selectively based on
origin site and/or requested content for policy #2. It can kill
existing cookies, void session and set new origin-specific cookies for
policy #3.)

IMO the only UI precaution we can/should do if possible is to make
transparent IFRAMEs "transparent to events" - basically un-focusable.


-- 
Hallvord R. M. Steen

Received on Monday, 29 September 2008 01:54:54 UTC